Fedora This forum is for the discussion of the Fedora Project. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-21-2005, 07:08 PM
|
#1
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Rep:
|
Couldn't create socket: Permission denied
How can I solve this problem??...I'm testing a cgi proxy sript and this is the message i'm getting from the script. I'm using Fedora 4.
|
|
|
12-21-2005, 07:44 PM
|
#2
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Rep:
|
You must be root to bind to a port < 1024
|
|
|
12-21-2005, 08:06 PM
|
#3
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Original Poster
Rep:
|
thnx for the quick response....
now this is a cgi script running from my web server.....i made it 777 and it is owned by root.....what else can i do??? and the same script is running well from my dedicated server....it is my home server where i have problems.
Last edited by piforever; 12-21-2005 at 08:08 PM.
|
|
|
12-21-2005, 08:34 PM
|
#4
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Rep:
|
If it is running on the webserver, then it will be running as the server's uid, not root...
Best solution is to change the script so it uses a port greater than 1024. You can also make the script suid root, but this is very bad security wise, and I would not recommend it unless the server is not publically accessable, and you can trust your local users.
|
|
|
12-22-2005, 06:26 AM
|
#5
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Original Poster
Rep:
|
Thnx
that is weird...i just opened the script and looked in it for the error message hoping i might find a clue....but i could not find the message in the cgi script. so it seems this is related to how perl installed in my server. When I installed the system i picked web server configurations and added extra things.
chmod 4755 cgi_script << Is this how it should be done??? Because i tried it but it did not work, in this case the cgi will not work at all. So I changed it back to 755. The file is root:root
Last edited by piforever; 12-22-2005 at 06:27 AM.
|
|
|
12-22-2005, 07:43 AM
|
#6
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Rep:
|
Quote:
i could not find the message in the cgi script
|
Yeah, that's because the error is coming from the kernel...
Yeah, that will make it setuid. Same error message?
Not sure what to tell you. You say it's working fine on a different server, cannot you not compare the configuration with the one that works?
|
|
|
12-22-2005, 07:57 AM
|
#7
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Original Poster
Rep:
|
Quote:
Originally Posted by bulliver
Yeah, that's because the error is coming from the kernel...
Yeah, that will make it setuid. Same error message?
Not sure what to tell you. You say it's working fine on a different server, cannot you not compare the configuration with the one that works?
|
I dont know if it is possible. The other server is controlled by plesk and the system is RH 9. My server at home is Fedora Core 4.
Now when you chmod a cgi script to 4755...are you expecting it to run as any cgi script or not??? because in my case it does not run at all...it should be 755 or 777 to run!!! probably if i can fix this problem and the cgi script executes even if the permission is 4755 this could resolve the problem.
What security problems if it runs in this mode???
and many thnx for the help...i really appreciate that.
|
|
|
12-22-2005, 03:27 PM
|
#8
|
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Rep:
|
Quote:
Now when you chmod a cgi script to 4755...are you expecting it to run as any cgi script or not??? because in my case it does not run at all...it should be 755 or 777 to run!!! probably if i can fix this problem and the cgi script executes even if the permission is 4755 this could resolve the problem
|
suid should make the script run as the scripts owner, no matter who runs it, ie: root.
Quote:
What security problems if it runs in this mode???
|
The fact that it runs as root is a security problem in itself. I don't know what your script does, but if it is exploitable, then the exploiter will have root access to your system! As I mentioned, I heartily recommend _not_ making it suid if your server is available over the internet at large...
You have not given any info on what your cgi script does, but the best solution to your problem is to edit the script and see if you cannot make it use a port greater than 1024. If you can do this, then the socket call does not require root privileges.
As for the script not running when suid, perhaps this is the problem:
Code:
# This `suexec` module provides the ability to exeucte CGI scripts under
# a different user than apache is run.
#
LoadModule suexec_module modules/mod_suexec.so
Perhaps you don't have this apache module loaded, in which case the script will not run suid...
|
|
|
12-22-2005, 04:20 PM
|
#9
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Original Poster
Rep:
|
Thnx for the explanation....
the script i'm using is basically a cgi proxy i'm sure you know it. http://www.jmarshall.com/tools/cgiproxy/
Is it OK to assume that a vulnerability will occur only if the cgi is not known...like if a user asked me to make his script root. But for a script like the one i'm using where we know everything about it....it will be OK to make it root????
|
|
|
12-22-2005, 04:52 PM
|
#10
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Original Poster
Rep:
|
Hi,
Let me start by saying.....ThAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAnk yOuuuuuuuuuu for all the explanation....i learned a lot from the discussion with you.
The solution of the problem was by turning off the SELinux protection for httpd daemon!!!!!!
Can you explain what the hell is that thing?!!!! Is it important??? Shall I turn it off for the rest??? I got the idea by looking at stanton-finley tutorial.
Kind Regards,
Last edited by piforever; 12-22-2005 at 04:55 PM.
|
|
|
All times are GMT -5. The time now is 05:34 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|